Wednesday, April 15, 2015

Google, Microsoft and token leaks

Some stir recently was caused by OAuth open redirector and even an RFC security addendum was created for it. While this was known for quite some time already, it's still good to remind the general public. So here's another known issue - an Open Redirector in OpenID.
It works like this - whenever "checkid_immediate" mode is used it redirects without any questions asked. And here's an example in accounts.google.com: